Heinemann, Peter G wrote: > That's part of our puzzle. Happy to send more output if it would be helpful.
Yes, I wanted to see the entire output with debuglevel set to -1, for the connection establishment and TLS handshake. That includes the hex packet dumps of the network traffic. The fact that it connects fine even with an expired cert implies a bug in the MozNSS cert validation functions. > > ldapsearch connects fine: > > connect success > TLS: certdb config: configDir='/etc/openldap/certs' > tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly > TLS: using moznss security dir /etc/openldap/certs prefix . > TLS: certificate [CN=directory.upenn.edu,OU=ISC: N&T - NES - Identity and > Access Management (IAM),O=University of Pennsylvania,STREET=3451 Walnut > Street,L=Philadelphia,ST=PA,postalCode=19104,C=US] is valid > TLS certificate verification: subject: CN=directory.upenn.edu,OU=ISC: N&T - > NES - Identity and Access Management (IAM),O=University of > Pennsylvania,STREET=3451 > Walnut Street,L=Philadelphia,ST=PA,postalCode=19104,C=US, issuer: CN=InCommon > RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US, cipher: AES-256, > security level: high, secret key bits: 256, total key bits: 256, cache hits: > 0, cache misses: 0, cache not reusable: 0 > ldap_open_defconn: successful > > even when there's an expired cert in the chain: > > head pd-ldap1.certs (from this command: > openssl s_client -host pd-ldap1.net.isc.upenn.edu -port 636 -showcerts > 2>pd-ldap1.certs >> pd-ldap1.certs) > > depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = > AddTrust External CA Root > verify error:num=10:certificate has expired > notAfter=May 30 10:48:38 2020 GMT > verify return:0 > DONE > CTED(00000003) > --- > Certificate chain > 0 s:/C=US/postalCode=19104/ST=PA/L=Philadelphia/street=3451 Walnut > Street/O=University of Pennsylvania/OU=ISC: N&T - NES - Identity and Access > Management > (IAM)/CN=directory.upenn.edu > i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA > [0 phei@pi-haproxy2 ~]$ head -20 pd-ldap1.certs > depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = > AddTrust External CA Root > verify error:num=10:certificate has expired > notAfter=May 30 10:48:38 2020 GMT > verify return:0 > DONE > CTED(00000003) > ---------------------------------------------------------------------------------------------------------------------------------------------------------------- > *From:* Howard Chu <h...@symas.com> > *Sent:* Wednesday, June 3, 2020 9:43 AM > *To:* Heinemann, Peter G <p...@isc.upenn.edu>; > openldap-technical@openldap.org <openldap-technical@openldap.org> > *Subject:* Re: ssl certificate chain > > p...@isc.upenn.edu wrote: >> Not sure if this is an openldap issue but have to examine everything we can. >> >> We revised our nss certificate store as part of addressing the expiration of >> our root cert. >> >> It now has two certs, the end service cert and the intermediate. >> Basic client operations (ldapsearch) work fine; using -d1 shows that the >> appropriate service certificate is loaded and the the search is successful. > > What is the output from ldapsearch -d -1 ? > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
